英文:
Terraform for_each over yaml file contents which is an object
问题
I have a yaml file which is similar to the following (FYI: ssm_secrets can be an empty array):
rabbitmq:repo_name: bitnaminamespace: rabbitmqtarget_revision: 11.1.1path: rabbitmqvalues_file: charts/rabbitmq/values.yamlssm_secrets: []app_name_1:repo_name: repo_name_1namespace: namespace_1target_revision: target_revision_1path: charts/pathvalues_file: values.yamlssm_secrets:- name: name-dev-1key: .envssm_path: ssm_path/devname-backend:repo_name: repo_name_2namespace: namespace_2target_revision: target_revision_2path: charts/name-backendvalues_file: values.yamlssm_secrets:- name: name-backend-app-devssm_path: name-backend/app/devkey: app.ini- name: name-backend-abi-devssm_path: name-backend/abi/devkey: contractTokenABI.json- name: name-backend-widget-devssm_path: name-backend/widget/devkey: name.ini- name: name-abi-devssm_path: name-abi/devkey: name_1.json- name: name-website-devssm_path: name/website/devkey: website.ini- name: name-name-devssm_path: name/name/devkey: contract.ini- name: name-key-devssm_path: name-key/devkey: name.pub
And using External Secrets and EKS Blueprints, I am trying to generate the yaml file necessary to create the secrets:
resource "kubectl_manifest" "secret" {for_each = toset(flatten([for service in var.secrets : service.ssm_secrets[*].ssm_path]))yaml_body = <<YAMLapiVersion: external-secrets.io/v1beta1kind: ExternalSecretmetadata:name: ${replace(each.value, "/", "-")}namespace: ${split("/", each.value)[0]}spec:refreshInterval: 30msecretStoreRef:name: ${local.cluster_secretstore_name}kind: ClusterSecretStoredata:- secretKey: .envremoteRef:key: ${each.value}YAMLdepends_on = [kubectl_manifest.cluster_secretstore, kubernetes_namespace_v1.namespaces]}
The above works fine, but I also need to use the key value from the yaml into secretKey: <key_value from yaml>.
If I try with for_each = toset(flatten([for service in var.secrets : service.ssm_secrets[*]])), it just gives me the following error:
The given "for_each" argument value is unsuitable: "for_each" supportsmaps and sets of strings, but you have provided a set containing typeobject.
I have tried converting the variable into a map, used lookup, but it doesn't work. Any help would be much appreciated.
Update 1:
As per @MattSchuchard suggestion, changing the for_each into for_each = toset(flatten([for service in var.secrets : service.ssm_secrets])) gave the following error:
Error: Invalid for_each set argumenton ../../modules/02-plugins/external-secrets.tf line 58, in resource "kubectl_manifest" "secret":58: for_each = toset(flatten([for service in var.secrets : service.ssm_secrets]))The given "for_each" argument value is unsuitable: "for_each" supports maps and sets of strings, but you have provided a set containing type object.
Update 2:
@mariux gave the perfect solution, but here is what I came up with. It's not that cleaner, but definitely works (PS: I myself am going to use Mariux's solution):
locals {my_list = tolist(flatten([for service in var.secrets : service.ssm_secrets[*]]))}resource "kubectl_manifest" "secret" {count = length(local.my_list)yaml_body = <<YAMLapiVersion: external-secrets.io/v1beta1kind: ExternalSecretmetadata:name: ${replace(local.my_list[count.index]["ssm_path"], "/", "-")}namespace: ${split("/", local.my_list[count.index]["ssm_path"])[0]}spec:refreshInterval: 30msecretStoreRef:name: ${local.cluster_secretstore_name}kind: ClusterSecretStoredata:- secretKey: ${local.my_list[count.index]["key"]}remoteRef:key: ${local.my_list[count.index]["ssm_path"]}YAMLdepends_on = [kubectl_manifest.cluster_secretstore, kubernetes_namespace_v1.namespaces]}
英文:
I have a yaml file which is similar to the following (FYI: ssm_secrets can be an empty array):
rabbitmq:repo_name: bitnaminamespace: rabbitmqtarget_revision: 11.1.1path: rabbitmqvalues_file: charts/rabbitmq/values.yamlssm_secrets: []app_name_1:repo_name: repo_name_1namespace: namespace_1target_revision: target_revision_1path: charts/pathvalues_file: values.yamlssm_secrets:- name: name-dev-1key: .envssm_path: ssm_path/devname-backend:repo_name: repo_name_2namespace: namespace_2target_revision: target_revision_2path: charts/name-backendvalues_file: values.yamlssm_secrets:- name: name-backend-app-devssm_path: name-backend/app/devkey: app.ini- name: name-backend-abi-devssm_path: name-backend/abi/devkey: contractTokenABI.json- name: name-backend-widget-devssm_path: name-backend/widget/devkey: name.ini- name: name-abi-devssm_path: name-abi/devkey: name_1.json- name: name-website-devssm_path: name/website/devkey: website.ini- name: name-name-devssm_path: name/name/devkey: contract.ini- name: name-key-devssm_path: name-key/devkey: name.pub
And using External Secrets and EKS Blueprints, I am trying to generate the yaml file necessary to create the secrets
resource "kubectl_manifest" "secret" {for_each = toset(flatten([for service in var.secrets : service.ssm_secrets[*].ssm_path]))yaml_body = <<YAMLapiVersion: external-secrets.io/v1beta1kind: ExternalSecretmetadata:name: ${replace(each.value, "/", "-")}namespace: ${split("/", each.value)[0]}spec:refreshInterval: 30msecretStoreRef:name: ${local.cluster_secretstore_name}kind: ClusterSecretStoredata:- secretKey: .envremoteRef:key: ${each.value}YAMLdepends_on = [kubectl_manifest.cluster_secretstore, kubernetes_namespace_v1.namespaces]}
The above works fine, but I also need to use the key value from the yaml into secretKey: <key_value from yaml>.
If I try with for_each = toset(flatten([for service in var.secrets : service.ssm_secrets[*]]))
resource "kubectl_manifest" "secret" {for_each = toset(flatten([for service in var.secrets : service.ssm_secrets[*]]))yaml_body = <<YAMLapiVersion: external-secrets.io/v1beta1kind: ExternalSecretmetadata:name: ${replace(each.value["ssm_path"], "/", "-")}namespace: ${split("/", each.value["ssm_path"])[0]}spec:refreshInterval: 30msecretStoreRef:name: ${local.cluster_secretstore_name}kind: ClusterSecretStoredata:- secretKey: .envremoteRef:key: ${each.value["ssm_path"]}YAMLdepends_on = [kubectl_manifest.cluster_secretstore, kubernetes_namespace_v1.namespaces]}
It just gives me the following error:
> The given "for_each" argument value is unsuitable: "for_each" supports
> maps and sets of strings, but you have provided a set containing type
> object.
I have tried converting the variable into a map, used lookup, but it doesn't work.
Any help would be much appreciated.
Update 1:
As per @MattSchuchard suggestion, changing the for_each into
for_each = toset(flatten([for service in var.secrets : service.ssm_secrets]))
Gave the following error:
Error: Invalid for_each set argument││ on ../../modules/02-plugins/external-secrets.tf line 58, in resource "kubectl_manifest" "secret":│ 58: for_each = toset(flatten([for service in var.secrets : service.ssm_secrets]))│ ├────────────────│ │ var.secrets is object with 14 attributes││ The given "for_each" argument value is unsuitable: "for_each" supports maps and sets of strings, but you have provided a set containing type object.
Update 2:
@mariux gave the perfect solution, but here is what I came up with. It's not that cleaner, but definitely works (PS: I myself am going to use Mariux's solution):
locals {my_list = tolist(flatten([for service in var.secrets : service.ssm_secrets[*]]))}resource "kubectl_manifest" "secret" {count = length(local.my_list)yaml_body = <<YAMLapiVersion: external-secrets.io/v1beta1kind: ExternalSecretmetadata:name: ${replace(local.my_list[count.index]["ssm_path"], "/", "-")}namespace: ${split("/", local.my_list[count.index]["ssm_path"])[0]}spec:refreshInterval: 30msecretStoreRef:name: ${local.cluster_secretstore_name}kind: ClusterSecretStoredata:- secretKey: ${local.my_list[count.index]["key"]}remoteRef:key: ${local.my_list[count.index]["ssm_path"]}YAMLdepends_on = [kubectl_manifest.cluster_secretstore, kubernetes_namespace_v1.namespaces]}
答案1
得分: 3
假设
根据您分享的信息,我做出以下假设:
- 您并不真正关心该服务,因为您想使用给定的
key和ssm_path属性创建外部密钥ssm_secrets.*.name。 - 每个
name对于所有服务来说都是全局唯一的,不会重复使用。
Terraform 技巧
根据这些假设,您可以创建所有 ssm_secrets 的数组,使用以下代码:
locals {ssm_secrets_all = flatten(values(var.secrets)[*].ssm_secrets)}
并将其转换为可以在 for_each 中使用的映射,通过按 .name 键入值:
locals {ssm_secrets_map = { for v in local.ssm_secrets_all : v.name => v }}
完整(工作)示例
以下示例对我来说有效,并做出了一些变量应该使用的假设。
- 使用
yamldecode将原始输入解码为local.input - 使用
yamlencode使读取清单更容易,并删除了一些字符串插值。这还确保缩进正确,因为我们将 HCL 转换为 yaml。
terraform init && terraform plan 将计划创建以下资源:
kubectl_manifest.secret["name-abi-dev"] 将被创建kubectl_manifest.secret["name-backend-abi-dev"] 将被创建kubectl_manifest.secret["name-backend-app-dev"] 将被创建kubectl_manifest.secret["name-backend-widget-dev"] 将被创建kubectl_manifest.secret["name-dev-1"] 将被创建kubectl_manifest.secret["name-key-dev"] 将被创建kubectl_manifest.secret["name-name-dev"] 将被创建kubectl_manifest.secret["name-website-dev"] 将被创建
locals {# input = var.secretsssm_secrets_all = flatten(values(local.input)[*].ssm_secrets)ssm_secrets_map = { for v in local.ssm_secrets_all : v.name => v }cluster_secretstore_name = "not provided secretstore name"}resource "kubectl_manifest" "secret" {for_each = local.ssm_secrets_mapyaml_body = yamlencode({apiVersion = "external-secrets.io/v1beta1"kind = "ExternalSecret"metadata = {name = replace(each.value.ssm_path, "/", "-")namespace = split("/", each.value.ssm_path)[0]}spec = {refreshInterval = "30m"secretStoreRef = {name = local.cluster_secretstore_namekind = "ClusterSecretStore"}data = [{secretKey = ".env"remoteRef = {key = each.value.key}}]}})# not included dependencies# depends_on = [kubectl_manifest.cluster_secretstore, kubernetes_namespace_v1.namespaces]}locals {input = yamldecode(<<-EOFrabbitmq:repo_name: bitnaminamespace: rabbitmqtarget_revision: 11.1.1path: rabbitmqvalues_file: charts/rabbitmq/values.yamlssm_secrets: []app_name_1:repo_name: repo_name_1namespace: namespace_1target_revision: target_revision_1path: charts/pathvalues_file: values.yamlssm_secrets:- name: name-dev-1key: .envssm_path: ssm_path/devname-backend:repo_name: repo_name_2namespace: namespace_2target_revision: target_revision_2path: charts/name-backendvalues_file: values.yamlssm_secrets:- name: name-backend-app-devssm_path: name-backend/app/devkey: app.ini- name: name-backend-abi-devssm_path: name-backend/abi/devkey: contractTokenABI.json- name: name-backend-widget-devssm_path: name-backend/widget/devkey: name.ini- name: name-abi-devssm_path: name-abi/devkey: name_1.json- name: name-website-devssm_path: name/website/devkey: website.ini- name: name-name-devssm_path: name/name/devkey: contract.ini- name: name-key-devssm_path: name-key/devkey: name.pubEOF)}terraform {required_version = "~> 1.0"required_providers {kubectl = {source = "gavinbunney/kubectl"version = "~> 1.7"}}}
提示:您也可以尝试使用 kubernetes_manifest 资源 而不是 kubectl_manifest。
附注:我们创建了 Terramate 来使复杂的 Terraform 代码创建变得更容易。但这对于纯粹的 Terraform 来说似乎已经足够了。
英文:
Assumptions
Based on what you shared, i make the following assumptions:
- the service is not actually important for you as you want to create external secrets by
ssm_secrets.*.nameusing the givenkeyandssm_pathattributes. - each
nameis globally unique for all services and never reused.
terraform hacks
Based on the assumptions you can create an array of ALL ssm_secrets using
locals {ssm_secrets_all = flatten(values(var.secrets)[*].ssm_secrets)}
and convert it to a map that can be used in for_each by keying the values by .name:
locals {ssm_secrets_map = { for v in local.ssm_secrets_all : v.name => v }}
Full (working) example
The example below works for me and makes some assumption where the variables should be used.
- Using
yamldecodeto decode your original input intolocal.input - Using
yamlencodeto make reading the manifest easier and removing some string interpolcations. This also ensures that the indent is correct as we convert HCL to yaml.
A terraform init && terraform plan will plan to create the following resources:
kubectl_manifest.secret["name-abi-dev"] will be createdkubectl_manifest.secret["name-backend-abi-dev"] will be createdkubectl_manifest.secret["name-backend-app-dev"] will be createdkubectl_manifest.secret["name-backend-widget-dev"] will be createdkubectl_manifest.secret["name-dev-1"] will be createdkubectl_manifest.secret["name-key-dev"] will be createdkubectl_manifest.secret["name-name-dev"] will be createdkubectl_manifest.secret["name-website-dev"] will be created
locals {# input = var.secretsssm_secrets_all = flatten(values(local.input)[*].ssm_secrets)ssm_secrets_map = { for v in local.ssm_secrets_all : v.name => v }cluster_secretstore_name = "not provided secretstore name"}resource "kubectl_manifest" "secret" {for_each = local.ssm_secrets_mapyaml_body = yamlencode({apiVersion = "external-secrets.io/v1beta1"kind = "ExternalSecret"metadata = {name = replace(each.value.ssm_path, "/", "-")namespace = split("/", each.value.ssm_path)[0]}spec = {refreshInterval = "30m"secretStoreRef = {name = local.cluster_secretstore_namekind = "ClusterSecretStore"}data = [{secretKey = ".env"remoteRef = {key = each.value.key}}]}})# not included dependencies# depends_on = [kubectl_manifest.cluster_secretstore, kubernetes_namespace_v1.namespaces]}locals {input = yamldecode(<<-EOFrabbitmq:repo_name: bitnaminamespace: rabbitmqtarget_revision: 11.1.1path: rabbitmqvalues_file: charts/rabbitmq/values.yamlssm_secrets: []app_name_1:repo_name: repo_name_1namespace: namespace_1target_revision: target_revision_1path: charts/pathvalues_file: values.yamlssm_secrets:- name: name-dev-1key: .envssm_path: ssm_path/devname-backend:repo_name: repo_name_2namespace: namespace_2target_revision: target_revision_2path: charts/name-backendvalues_file: values.yamlssm_secrets:- name: name-backend-app-devssm_path: name-backend/app/devkey: app.ini- name: name-backend-abi-devssm_path: name-backend/abi/devkey: contractTokenABI.json- name: name-backend-widget-devssm_path: name-backend/widget/devkey: name.ini- name: name-abi-devssm_path: name-abi/devkey: name_1.json- name: name-website-devssm_path: name/website/devkey: website.ini- name: name-name-devssm_path: name/name/devkey: contract.ini- name: name-key-devssm_path: name-key/devkey: name.pubEOF)}terraform {required_version = "~> 1.0"required_providers {kubectl = {source = "gavinbunney/kubectl"version = "~> 1.7"}}}
hint: you could also try to use the kubernetes_manifest resource instead of kubectl_manifest
p.s.: We created Terramate to make complex creation of Terraform code easier. But this seems perfectly fine for pure Terraform.
答案2
得分: 1
如果您修改 for_each 元参数为:
for_each = toset(flatten([for service in var.secrets : service.ssm_secrets]))
那么在名为 each 的默认名称下,kubernetes_manifest.secret 资源内的 lambda/closure 作用域迭代变量将是 list(object) 类型,表示与 YAML 中的哈希列表类似的所需值(Kubernetes 中的映射列表),可以使用 each.value["ssm_path"] 访问 ssm_path,使用 each.value["key"] 访问 key。
英文:
If you modify the for_each meta-parameter to:
for_each = toset(flatten([for service in var.secrets : service.ssm_secrets]))
then the lambda/closure scope iterator variable within the kubernetes_manifest.secret resource with default name each will be a list(object) type representing the desired values analogous to the list of hashes in the YAML (list of maps within Kubernetes), and one can access ssm_path with each.value["ssm_path"], and key with each.value["key"].
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论